Re: "LAND" Attack Update

Aleph One (aleph1@dfw.net)
Fri, 21 Nov 1997 13:22:22 -0600

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Paul Leach: "IP DOS attacks -- Win95 patches available"
Previous message: blast: "44BSD port of land.c"
Maybe in reply to: Aleph One: ""LAND" Attack Update"
Next in thread: Charles M. Hannum: "Re: "LAND" Attack Update"

The latest update. It seems that not many versions of IOS are affected.
The symptoms can also be strange. It will stop accepting connection, then
after 30 seconds if may stop accepting processing ICMP echos, and after
that it stops forwarding packets. So if you perform the test wait a couple
of minutes and see if it still up before you come to any conclusions. Ivan
Ganev also reports that testing again port 23 alone would not kill the
router but testing againts the first 255 ports did.

>From the reports is seem to be the older revisions of IOS (10.X and 11.0)
in certain hardware configurations and the Cisco 700 Series ISDN access
routers (not running IOS) are vulnerable.

We keep getting conflicting reports for FreeBSD and OpenBSD. The are
enough reports and indications that those operating systems are indeed
vulnerable but the vulnerabilitiy may not show up in all configurations
depending on the enviroment, the intensity of cosmic rays, the phase of
the moon, and if the testing person is left or right handed.

An external "land" attack should not be an issue if you are filtering IP
address spoofing at your ingress routers. You _ARE_ doing so? Correct?
Well in case you forgot you can find Paul Ferguson's "Network Ingress
Filtering: Defeating Denial of Service Address Spoofing" Internet Draft at
ftp://ietf.org/internet-drafts/draft-ferguson-ingress-filtering-03.txt
I highly recommend you implement it's recommendations. Of curse you are
still at the mercy of those behind the filter.

The survey says:

AIX 3 IS vulnerable
AIX 3.2 NOT vulnerable
AIX 4 NOT vulnerable
AIX 4.1 NOT vulnerable
BeOS Preview Release 2 PowerMac IS vulnerable
BSDI 2.1 (vanilla) IS vulnerable
BSDI 2.1 (K210-021,K210-022,K210-024) NOT vulnerable
BSDI 3.0 NOT vulnerable
DG/UX R4.12 NOT vulnerable
Digital UNIX 4.0 NOT vulnerable
FreeBSD 2.2.2-RELEASE (confilcting reports)
FreeBSD 2.2.5-RELEASE (conflicting reports)
FreeBSD 2.2.5-STABLE (conflicting reports)
FreeBSD 3.0-CURRENT IS vulnerable
HP External JetDirect Print Servers IS vulnerable
HP-UX 10.20 IS vulnerable
IRIX 5.3 IS vulnerable
IRIX 6.2 NOT vulnerable
IRIX 6.3 NOT vulnerable
IRIX 6.4 NOT vulnerable
Linux 2.0.30 NOT vulnerable
Linux 2.0.32 NOT vulnerable
MacOS 7.5.1 NOT vulnerable
MacOS 8.0 IS vulnerable (TCP/IP stack
crashed)
MVS OS390 1.3 NOT vulnerable
AIX 4.1 NOT vulnerable
NetApp NFS server 4.3 IS vulnerable
NetBSD 1.1 IS vulnerable
NetBSD 1.2 IS vulnerable
NetBSD 1.2a IS vulnerable
NetBSD 1.2.1 IS vulnerable
NetBSD 1.3_ALPHA IS vulnerable
NeXTSTEP 3.0 IS vulnerable
NeXTSTEp 3.1 IS vulnerable
Novell 4.11 NOT vulnerable
OpenBSD 2.1 (conflicting reports)
OS/2 3.0 NOT vulnerable
QNX 4.24 IS vulnerable
OpenBSD 2.2 (Oct31) NOT vulnerable
SCO OpenServer 5.0.4 NOT vulnerable
Salaris 2.4 NOT vulnerable
Solaris 2.5.1 NOT vulnerable
Solaris 2.6 NOT vulnerable
SunOS 4.1.4 IS vulnerable
Ultrix ??? NOT vulnerable
Windows 95 (vanilla) IS vulnerable
Windows 95 + Winsock 2 + VIPUPD.EXE IS vulnerable
Windows NT (vanilla) IS vulnerable
Windows NT + SP3 IS vulnerable
Windows NT + SP3 + simptcp-fix IS vulnerable

Some misc stuff:

3Com SuperStack II IS vulnerable
Apple LaserWriter IS vulnerable
Ascend 4000 5.0Ap20 NOT vulnerable
Ascend Pipeline 50 rev 5.0Ai16 NOT vulnerable
Ascend Pipeline 50 rev 5.0Ap13 NOT vulnerable
BayNetworks MARLIN 1000 OS (0).3.024(R) NOT vulnerable
BinTec BIANCA/BRICK-XS 4.6.1 router IS vulnerable
Cisco IOS 10.3(7) IS vulnerable
Cisco IOS 11.1(13) NOT vulnerable
Cisco 1003 IOS 11.0 NOT vulnerable
Cisco 1005 IOS 11.0(4) NOT vulnerable
Cisco 1600 IOS 11.0(6) fc1 IS vulnerable
Cisco 1601 IOS 11.1(8) AA NOT vulnerable
Cisco 1601 IOS 11.1(10)AA NOT vulnerable
Cisco 2500 IOS 11.0(9) NOT vulnerable
Cisco 2500 IOS 11.1(6) fc1 IS vulnerable
Cisco 2500 IOS 11.1(10) NOT vulnerable
Cisco 2501 IOS 10.2 IS vulnerable
Cisco 2501 IOS 10.2(2) IS vulnerable
Cisco 2501 IOS 10.(7) IS vulnerable
Cisco 2501 IOS 11.1(9) NOT vulnerable
Cisco 2501 IOS 11.2(4)P NOT vulnerable
Cisco 2503 IOS 11.0(9) IS vulnerable
Cisco 2509 IOS 11.1 NOT vulnerable
Cisco 2511 IOS ??? IS vulnerable
Cisco 2511 IOS 10.3(4) NOT vulnerable
Cisco 2511 IOS 11.1(8) NOT vulnerable
Cisco 2511 IOS 11.2(4) NOT vulnerable
Cisco 2514 IOS 11.2(5) NOT vulnerable
Cisco 3102 IOS 9.X IS vulnerable
Cisco 4000 IOS 11.0(7) NOT vulnerable
Cisco 4000 IOS 11.1(6) NOT vulnerable
Cisco 4000 IOS 11.2(4) fc1 NOT vulnerable
Cisco 4000 IOS 11.2(9) NOT vulnerable
Cisco 4500 IOS 10.13(15) IS vulnerable
Cisco 4500 IOS 11.2(9) NOT vulnerable
Cisco 4700M IOS 11.0(16) NOT vulnerable
Cisco 7000 IOS 11.0(1) NOT vulnerable
Cisco 7000 IOS 11.0(16) NOT vulnerable
Cisco 7000 IOS 11.1(12) NOT vulnerable
Cisco 7000 IOS 11.2(8) NOT vulnerable
Cisco 7507 IOS 11.0(17) NOT vulnerable
Cisco 753 OS Release 4 IS vulnerable
Cisco 753 OS Release 4.0 IS vulnerable
Cisco 754 OS Release 4.1 IS vulnerable
Cisco 761 OS Release 4.0(1) IS vulnerable
Cisco Catalyst 5000 IS vulnerable
Digital VT1200 IS vulnerable
HP Envizex Terminal IS vulnerable
LaserJet Printer NOT vulnerable
Livingston Office Router (ISDN) IS vulnerable
Livingston PM ComOS 3.3.3 NOT vulnerable
Livingston PM ComOS 3.5b17 + 3.7.2 NOT vulnerable
Livingston PM ComOS 3.7L NOT vulnerable
Livingston Enterprise PM 3.4 2L NOT vulnerable
Milkyway Firewall 3.02 (SunOS) IS vulnerable
NCD X Terminals, NCDWare v3.1.0 IS vulnerable
NCD X Terminals, NCDWare v3.2.1 IS vulnerable

Next message: Paul Leach: "IP DOS attacks -- Win95 patches available"
Previous message: blast: "44BSD port of land.c"
Maybe in reply to: Aleph One: ""LAND" Attack Update"
Next in thread: Charles M. Hannum: "Re: "LAND" Attack Update"